
rule EXPL_Citrix_Netscaler_ADC_ForensicArtifacts_CVE_2023_3519_Jul23 {
   meta:
      description = "Detects forensic artifacts found after an exploitation of Citrix NetScaler ADC CVE-2023-3519"
      author = "Florian Roth"
      reference = "https://www.cisa.gov/sites/default/files/2023-07/aa23-201a_csa_threat_actors_exploiting_citrix-cve-2023-3519_to_implant_webshells.pdf"
      date = "2023-07-18"
      modified = "2023-07-21"
      score = 70
      id = "07d725cc-2cf2-55e5-8609-486500547f13"
   strings:
      $sa1 = "216.41.162.172" ascii fullword

      $sb1 = "/flash/nsconfig/keys" ascii
      $sb2 = "ldapsearch" ascii fullword
      $sb3 = "ns_gui/vpn" ascii
      $sb4 = "LDAPTLS_REQCERT" ascii fullword
   condition:
      filesize < 10MB and $sa1
      or (
         filepath == "/var/log"
         and filename matches /^(bash|sh)\.log/
         and 1 of ($sb*)
      )
}

rule EXPL_Citrix_Netscaler_ADC_ForensicArtifacts_CVE_2023_3519_Jul23_2 {
   meta:
      description = "Detects forensic artifacts found after an exploitation of Citrix NetScaler ADC CVE-2023-3519"
      author = "Florian Roth"
      reference = "https://www.cisa.gov/sites/default/files/2023-07/aa23-201a_csa_threat_actors_exploiting_citrix-cve-2023-3519_to_implant_webshells.pdf"
      date = "2023-07-21"
      score = 70
      id = "471ce547-0133-5836-b9d1-02c932ecfd1e"
   strings:
      $s1 = "tar -czvf - /var/tmp/all.txt" ascii fullword
      $s2 = "-out /var/tmp/test.tar.gz" ascii
      $s3 = "/test.tar.gz /netscaler/"
   condition:
      filesize < 10MB and 1 of them
}

rule EXPL_Citrix_Netscaler_ADC_ForensicArtifacts_CVE_2023_3519_Jul23_3 {
   meta:
      description = "Detects forensic artifacts found after an exploitation of Citrix NetScaler ADC CVE-2023-3519"
      author = "Florian Roth"
      reference = "https://www.mandiant.com/resources/blog/citrix-zero-day-espionage"
      date = "2023-07-24"
      score = 70
      id = "2f40b423-f1da-5711-ac4f-18de77cd52d0"
   strings:
      $x1 = "cat /flash/nsconfig/ns.conf >>" ascii
      $x2 = "cat /nsconfig/.F1.key >>" ascii
      $x3 = "openssl base64 -d < /tmp/" ascii
      $x4 = "cp /usr/bin/bash /var/tmp/bash" ascii
      $x5 = "chmod 4775 /var/tmp/bash"
      $x6 = "pwd;pwd;pwd;pwd;pwd;"
      $x7 = "(&(servicePrincipalName=*)(UserAccountControl:1.2.840.113556.1.4.803:=512)(!(UserAccountControl:1.2.840.113556.1.4.803:=2))(!(objectCategory=computer)))"
   condition:
      filesize < 10MB and 1 of them
}

rule LOG_EXPL_Citrix_Netscaler_ADC_Exploitation_Attempt_CVE_2023_3519_Jul23_1 {
   meta:
      description = "This YARA rule detects forensic artifacts that appear following an attempted exploitation of Citrix NetScaler ADC CVE-2023-3519. The rule identifies an attempt to access the vulnerable function using an overly long URL, a potential sign of attempted exploitation. However, it does not confirm whether such an attempt was successful."
      author = "Florian Roth"
      reference = "https://blog.assetnote.io/2023/07/24/citrix-rce-part-2-cve-2023-3519/"
      date = "2023-07-27"
      score = 65
      id = "7dfe4130-d976-5d6d-a05d-ccadefe45406"
   strings:
      /* overly long URL - all URLLEN values >= 200 */
      $sr1 = /GWTEST FORMS SSO: Parse=0; URLLEN=([2-9][0-9]{2}|[0-9]{4,20}); Event: start=0x/
      $s1 = ", type=1; Target: start=0x"
   condition:
      all of them
}

rule WEBSHELL_SECRETSAUCE_Jul23_1 {
   meta:
      description = "Detects SECRETSAUCE PHP webshells (found after an exploitation of Citrix NetScaler ADC CVE-2023-3519)"
      author = "Florian Roth"
      reference = "https://www.mandiant.com/resources/blog/citrix-zero-day-espionage"
      date = "2023-07-24"
      score = 85
      id = "db0542e7-648e-5f60-9838-e07498f58b51"
   strings:
      $sa1 = "for ($x=0; $x<=1; $x++) {" ascii
      $sa2 = "$_REQUEST[" ascii
      $sa3 = "@eval" ascii

      $sb1 = "public $cmd;" ascii
      $sb2 = "return @eval($a);" ascii
      $sb3 = "$z->run($z->get('openssl_public_decrypt'));"
   condition:
      filesize < 100KB and (
         all of ($sa*) or
         2 of ($sb*)
      )
}


